fsebugoutzone.org:9999

       Post AafVkY1gK4yDBCsdd2 by calebwoodbine@mastodon.nz
 (DIR) More posts by calebwoodbine@mastodon.nz
 (DIR) Post #AafMtQo3dU83o5fXGK by mjg59@nondeterministic.computer
       2023-10-11T16:34:42Z
       
       0 likes, 0 repeats
       
       What I want:1) Reproducible container builds2) Certificate-transparency style cert issuance if multiple trusted build environments build an identical container3) Per-container remote attestation to allow verification that the container you&#39;re speaking to matches the certificate it&#39;s presenting4) Integration with technologies like SEV to ensure that the host environment generating the attestation is itself trustworthySigstore feels like it gets /part/ of the way, but not entirely?
       
 (DIR) Post #AafPSQ36dw1VVBWEiG by nop@hachyderm.io
       2023-10-11T17:04:36Z
       
       0 likes, 0 repeats
       
       @mjg59 chainguard is working towards this but it’s with their own tools that are open source. Might be difficult with just Dockerfiles only.
       
 (DIR) Post #AafPzyn6UiiUoB2LBY by Foxboron@chaos.social
       2023-10-11T17:10:32Z
       
       0 likes, 0 repeats
       
       @mjg59 sigstore only partially solves 2 and 3 I believe?1 is mostly solveable with some caveats.4 is not something I&#39;ve seen before I think?
       
 (DIR) Post #AafRTfxz9ELf4CqnvE by mlieberman@hachyderm.io
       2023-10-11T17:27:06Z
       
       0 likes, 0 repeats
       
       @mjg59 This sounds like a combination of SPIFFE+Sigstore+Keylime and maybe a few other things?Regarding 4 we&#39;ve seen still a lot of issues with the open source libraries around hardware attestations.
       
 (DIR) Post #AafSaVMJ5MBE9I2yjw by penguin42@mastodon.org.uk
       2023-10-11T17:41:53Z
       
       0 likes, 0 repeats
       
       @mjg59 Isn&#39;t (4) just a vTPM attestation of the host where the vTPM is tied to the SEV/etc setup?   For (3) do you still want conventional containers rather than something Kata like?
       
 (DIR) Post #AafUhgZdzCKorppyAi by seph@metasocial.com
       2023-10-11T18:02:40Z
       
       0 likes, 0 repeats
       
       @mjg59 I think notary is aiming at this, but it’s a huge project. The last version is dead, and I suspect the next will be overcomplicated.
       
 (DIR) Post #AafVkY1gK4yDBCsdd2 by calebwoodbine@mastodon.nz
       2023-10-11T18:14:52Z
       
       0 likes, 0 repeats
       
       @mjg59 projects which implement https://slsa.dev sound to be what you’re looking for
       
 (DIR) Post #AafhG14JUbjpj5JqaW by civodul@toot.aquilenet.fr
       2023-10-11T20:23:30Z
       
       0 likes, 0 repeats
       
       @mjg59 Guix supports reproducible builds, with tooling to verify source/binary correspondence and to challenge servers that provide binaries.https://guix.gnu.org/manual/en/html_node/On-Trusting-Binaries.htmlAdditionally, ‘guix pack’ produces Docker containers from Guix binaries; the container build process is again verifiable (it stands alone, does not rely on Dockerfiles and external tools).https://guix.gnu.org/manual/en/html_node/Invoking-guix-pack.htmlMight be close to what you’re looking for!